AWS S3
How to automatically deploy SSL certificates to an AWS S3 bucket.
Overview
AutoSSL can automatically upload SSL certificate files to an Amazon S3 bucket. Each certificate is archived under a versioned archive path and also updated under a latest/ path for easy discovery by downstream consumers (e.g., Nginx, Caddy, or custom scripts that pull certificates from S3).
For instructions on how to manage and run this deployment, please refer to the Deployment Management section.
Configuration Parameters
When you add or edit this deployment target in the AutoSSL console, you will need to configure the following parameters:
| Parameter | Description | Example |
|---|---|---|
| Region | The AWS Region where the S3 bucket is located. | us-east-1 |
| Bucket Name | The name of the S3 bucket to upload certificate files to. | my-ssl-certs |
| Object Key Prefix | (Optional) A prefix for organizing certificate files in the bucket. If set, files will be uploaded under this prefix. Trailing slash is optional. | certs/example.com/ |
How it Works
When AutoSSL deploys a certificate to an AWS S3 bucket (e.g., my-ssl-certs in us-east-1 with prefix certs/example.com/), it performs the following steps:
-
Certificate Preparation:
- Splits the full certificate chain into individual PEM files:
cert.pem(leaf certificate),privkey.pem(private key, PKCS#8 encoded),chain.pem(intermediate chain), andfullchain.pem(full chain). - Generates a
README.mdfile with certificate metadata and a link to https://autossl.dev for traceability. - Parses the certificate
notBeforedate and SHA1 fingerprint to generate an archive directory name (format:YYYY-MM-DD_<first 8 chars of SHA1>).
- Splits the full certificate chain into individual PEM files:
-
File Upload:
- Uploads certificate files (four PEM files and README.md) to two paths in the bucket:
- Archive path —
certs/example.com/2026-05-30_e5f6a7b8/cert.pem(andprivkey.pem,chain.pem,fullchain.pem,README.md). This path is unique per certificate issuance and is never overwritten. - Latest path —
certs/example.com/latest/cert.pem(andprivkey.pem,chain.pem,fullchain.pem,README.md). This path always reflects the most recently uploaded certificate.
- Archive path —
- Uploads certificate files (four PEM files and README.md) to two paths in the bucket:
The latest/ path allows downstream services to always fetch the current
certificate from a fixed S3 key. Historical certificates remain accessible
under their versioned archive directories.
Example Bucket Structure
After multiple certificate renewals, your bucket structure will look like this:
certs/example.com/
├── 2026-03-01_a1b2c3d4/
│ ├── cert.pem
│ ├── privkey.pem
│ ├── chain.pem
│ ├── fullchain.pem
│ └── README.md
├── 2026-05-30_e5f6a7b8/
│ ├── cert.pem
│ ├── privkey.pem
│ ├── chain.pem
│ ├── fullchain.pem
│ └── README.md
└── latest/
├── cert.pem
├── privkey.pem
├── chain.pem
├── fullchain.pem
└── README.mdPrivate Key Format
privkey.pem is encoded in PKCS#8 format (-----BEGIN PRIVATE KEY-----). This format is widely supported by modern web servers and tools (Nginx, Caddy, Traefik, OpenSSL 1.1+, etc.).
If your environment requires PKCS#1 format (e.g. -----BEGIN RSA PRIVATE KEY----- for RSA keys), convert it locally before use:
openssl rsa -in privkey.pem -out privkey-pkcs1.pemAccess Key Requirement
To interact with the AWS API, this provider requires an AWS Access Key.
Required Permissions
The Access Key must belong to an AWS IAM user with permissions to upload objects to the target S3 bucket.
You need to attach an IAM policy to your user with at least the following actions on the target bucket prefix:
s3:PutObject
Example minimal IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-ssl-certs/certs/example.com/*"
}
]
}For more information on how to manage IAM permissions, please refer to the AWS IAM Documentation.